CVE-2025-45994
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-26
Last updated on: 2025-10-03
Assigner: MITRE
Description
Description
An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arandasoft | passrecovery | 1.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Aranda PassRecovery v1.0 allows attackers to determine which user accounts exist in Active Directory by sending a specially crafted POST request to the /user/existdirectory/1 endpoint. Essentially, it enables account enumeration.
How can this vulnerability impact me? :
The vulnerability can allow attackers to identify valid user accounts in your Active Directory, which can be used as a first step in targeted attacks such as phishing, brute force, or other unauthorized access attempts.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70